sessions - with or without cookies

At Thu, 07 Jun 2007 21:12:26 -0600, Chuck Anderson let h(is|er) monkeys
type:

I've instituted a sessions based scheme on my web site to combat hot
linking to my images. When someone requests a page at my site, I set a
session variable. I then use htaccess to redirect *all* image requests
to a Php script that checks for that variable before simply delivering
the image. Direct links to my images will fail this test and no image
is served.

I am monitoring my script by sending emails to myself and finding that
this session variable is sometimes not set for what appear to be real
visitors to my pages (my page is the HTTP_REFERER ).

My first thought was that people were spoofing the referrer to look like
a request from my page (which I figured would have to be very - even
extremely - rare). On another hunch, I tried disabling cookies in my
browser and I got the same result. There is no session variable.

On my shared server:
session.use_coo kies = On
session.use_onl y_cookies = Off
session.use_tra ns_sid = 0

I thought this meant that if a visitor has cookies disabled, the server
would send the session ID in the headers somehow (vague as my
understanding of this is), but I am not finding that to be the case.
There are several visitors every day that appear to be at my site, but
no session var has been set (so my script does not serve the images -
d'oh!).

I tried setting use_trans_sid, but I agree with the warning at Php.net
(that people will bookmark or email the URL with the session ID in it).
And I'd really rather not tack PHPSESSID=nnnnn nnnnnnnnnnnnnn onto URLs
.... .... and .... ..... that didn't even work anyway (??).

Am I mistaken? I thought I could use sessions with visitors regardless
of their cookie settings.

Is there a way to insure that every visitor to my pages will, indeed,
return a session ID with further GET requests (for the images)?

Alas, not much help, but I have had a similar experience with a sessions
based guestbook script refusing valid messages for lack of the proper
session var being set.

Behaviour seemed too random (different browsers, addresses, times, cookies
on/off) to pinpoint exactly what caused it. Pressed for a timely solution
I then reverted to captcha usage and haven't done any more research since.

I've dealt with image/multimedia hotlinking issues solely via .htaccess

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://([-a-z0-9]+\.)?mydomain\. com [NC]
RewriteRule .*\.(jpe?g|gif| bmp|png|swf|wmv |mpe?g|avi)$ siteinfo.png [L]
--
Schraalhans Keukenmeester - sc*********@the .Spamtrapexampl e.nl
[Remove the lowercase part of Spamtrap to send me a message]

"strcmp('apples ','oranges') < 0"

Chuck Anderson wrote:

I've instituted a sessions based scheme on my web site to combat hot
linking to my images. When someone requests a page at my site, I set a
session variable. I then use htaccess to redirect *all* image requests
to a Php script that checks for that variable before simply delivering
the image. Direct links to my images will fail this test and no image
is served.

I am monitoring my script by sending emails to myself and finding that
this session variable is sometimes not set for what appear to be real
visitors to my pages (my page is the HTTP_REFERER ).

My first thought was that people were spoofing the referrer to look like
a request from my page (which I figured would have to be very - even
extremely - rare). On another hunch, I tried disabling cookies in my
browser and I got the same result. There is no session variable.

On my shared server:
session.use_coo kies = On
session.use_onl y_cookies = Off
session.use_tra ns_sid = 0

I thought this meant that if a visitor has cookies disabled, the server
would send the session ID in the headers somehow (vague as my
understanding of this is), but I am not finding that to be the case.
There are several visitors every day that appear to be at my site, but
no session var has been set (so my script does not serve the images -
d'oh!).

I tried setting use_trans_sid, but I agree with the warning at Php.net
(that people will bookmark or email the URL with the session ID in it).
And I'd really rather not tack PHPSESSID=nnnnn nnnnnnnnnnnnnn onto URLs
.... .... and .... ..... that didn't even work anyway (??).

Am I mistaken? I thought I could use sessions with visitors regardless
of their cookie settings.

Is there a way to insure that every visitor to my pages will, indeed,
return a session ID with further GET requests (for the images)?

AFAIK, there are 2 methods of propagating PHPSESSID, and those are
cookies and the url. I don't know of a third mechanism, but if someone
does please share it with us. :)

To enable both methods, you'd have to have

session.use_coo kies = On
session.use_onl y_cookies = Off
session.use_tra ns_sid = 1

This setting would mean PHP would try to use cookies, and if those are
not available (disabled), it would automatically rewrite all the links
in the page adding ?PHPSESSID=... at the end.

However, and I've just tested this, PHP would not (at least by default)
rewrite the SRC attribute of IMG tag, unlike the HREF attribute of the A
tag which it does rewrite. That would mean, even if your PHP that does
the checking was able to get the paramaters passed through the image
url, it would not receive the PHPSESSID and thus would not be able to
access the session data for clients with cookies disabled.

I suggest the following. Write a couple of simple PHP pages like this
test1.php
*************** **
<?php
session_start() ;

$_SESSION["visited"] = 1; //or whatever your flag variable is called
?>

Click <a href="test2.php ">here</ato go to test2!
*************** **

test2.php

*************** **
<?php
session_start() ;
?>

This is a <a href="page2.php ">link!</a>
<br />
This is an image without sessid<br /><br />
<img src="image1.jpg ">
This is an image with sessid<br /><br />
<img src="image1.jpg ?PHPSESSID=<?ph p echo session_id(); ?>">
*************** **

Disable cookies in your browser, go to test.php page, click the link to
go to test2.php and tell us what you see.

That would mean, even if your PHP that does the checking was able to get
the paramaters passed through the image url...
************
I'll stress this. I haven't experimented much with .htaccess beyond
basic access control so I'm not really sure how that redirect works and
what is being passed to your php script that checks the session flag
variable and what isn't.

Schraalhans Keukenmeester wrote:

At Thu, 07 Jun 2007 21:12:26 -0600, Chuck Anderson let h(is|er) monkeys
type:

>I've instituted a sessions based scheme on my web site to combat hot
linking to my images. When someone requests a page at my site, I set a
session variable. I then use htaccess to redirect *all* image requests
to a Php script that checks for that variable before simply delivering
the image. Direct links to my images will fail this test and no image
is served.

I am monitoring my script by sending emails to myself and finding that
this session variable is sometimes not set for what appear to be real
visitors to my pages (my page is the HTTP_REFERER ).

My first thought was that people were spoofing the referrer to look like
a request from my page (which I figured would have to be very - even
extremely - rare). On another hunch, I tried disabling cookies in my
browser and I got the same result. There is no session variable.

On my shared server:
session.use_co okies = On
session.use_on ly_cookies = Off
session.use_tr ans_sid = 0

I thought this meant that if a visitor has cookies disabled, the server
would send the session ID in the headers somehow (vague as my
understandin g of this is), but I am not finding that to be the case.
There are several visitors every day that appear to be at my site, but
no session var has been set (so my script does not serve the images -
d'oh!).

I tried setting use_trans_sid, but I agree with the warning at Php.net
(that people will bookmark or email the URL with the session ID in it).
And I'd really rather not tack PHPSESSID=nnnnn nnnnnnnnnnnnnn onto URLs
.... .... and .... ..... that didn't even work anyway (??).

Am I mistaken? I thought I could use sessions with visitors regardless
of their cookie settings.

Is there a way to insure that every visitor to my pages will, indeed,
return a session ID with further GET requests (for the images)?

Alas, not much help, but I have had a similar experience with a sessions
based guestbook script refusing valid messages for lack of the proper
session var being set.

Behaviour seemed too random (different browsers, addresses, times, cookies
on/off) to pinpoint exactly what caused it. Pressed for a timely solution
I then reverted to captcha usage and haven't done any more research since.

I've dealt with image/multimedia hotlinking issues solely via .htaccess

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://([-a-z0-9]+\.)?mydomain\. com [NC]
RewriteRule .*\.(jpe?g|gif| bmp|png|swf|wmv |mpe?g|avi)$ siteinfo.png [L]

I am seeing very definite results when I test from my own browser. With
cookies enabled, the session var is always set.

However, if I disable cookies, what happens is this (as it appears to
me). When I enter the page (with image(s) in it), I call start_session
and set my var. When the image requests are redirected (via htaccess) to
the image server script, each call to start_session (one for every image
on the page) creates a new session (empty sessions). This makes sense,
as my browser is not sending a cookie telling the server a session is in
use. Based on that, I tried setting session.use_tra ns_sid, but that did
not change anything (which seems puzzling).

I have to enable cookies to pass the session_id from my browser to the
server (??).

I've also changed session.save_pa th to a directory in my home path
(above my web space). This makes it easier for me to track what's
happening, but has not changed anything.

I've been reading (at php.net) about using session_write_c lose():
http://us2.php.net/manual/en/ref.session.php#62486
http://us2.php.net/manual/en/ref.session.php#64525

.... but using that has not helped, either. Besides, I don't think it's
relevant. The first reference has to do with using header redirect
(which I'm not doing) and the second is about locking a session file in
case concurrent page load tries to write to it.

I think use_trans_sid could be the key .... but use_trans_sid does not
seem to be working.

Now, though, it's time for the pub where I can let my my mind wander in
a more relaxed state. Maybe I'll stumble upon some insight. ô¿Ô¬ (I do
some of my best thinking while staring mindlessly at beer taps and
swilling pints.)

--
*************** **************
Chuck Anderson • Boulder, CO
http://www.CycleTourist.com
*************** **************

Denis Gerina wrote:

Chuck Anderson wrote:

>I've instituted a sessions based scheme on my web site to combat hot
linking to my images. When someone requests a page at my site, I set a
session variable. I then use htaccess to redirect *all* image requests
to a Php script that checks for that variable before simply delivering
the image. Direct links to my images will fail this test and no image
is served.

I am monitoring my script by sending emails to myself and finding that
this session variable is sometimes not set for what appear to be real
visitors to my pages (my page is the HTTP_REFERER ).

My first thought was that people were spoofing the referrer to look like
a request from my page (which I figured would have to be very - even
extremely - rare). On another hunch, I tried disabling cookies in my
browser and I got the same result. There is no session variable.

On my shared server:
session.use_co okies = On
session.use_on ly_cookies = Off
session.use_tr ans_sid = 0

I thought this meant that if a visitor has cookies disabled, the server
would send the session ID in the headers somehow (vague as my
understandin g of this is), but I am not finding that to be the case.
There are several visitors every day that appear to be at my site, but
no session var has been set (so my script does not serve the images -
d'oh!).

I tried setting use_trans_sid, but I agree with the warning at Php.net
(that people will bookmark or email the URL with the session ID in it).
And I'd really rather not tack PHPSESSID=nnnnn nnnnnnnnnnnnnn onto URLs
.... .... and .... ..... that didn't even work anyway (??).

Am I mistaken? I thought I could use sessions with visitors regardless
of their cookie settings.

Is there a way to insure that every visitor to my pages will, indeed,
return a session ID with further GET requests (for the images)?

AFAIK, there are 2 methods of propagating PHPSESSID, and those are
cookies and the url. I don't know of a third mechanism, but if someone
does please share it with us. :)

To enable both methods, you'd have to have

session.use_coo kies = On
session.use_onl y_cookies = Off
session.use_tra ns_sid = 1

This setting would mean PHP would try to use cookies, and if those are
not available (disabled), it would automatically rewrite all the links
in the page adding ?PHPSESSID=... at the end.

However, and I've just tested this, PHP would not (at least by default)
rewrite the SRC attribute of IMG tag, unlike the HREF attribute of the A
tag which it does rewrite. That would mean, even if your PHP that does
the checking was able to get the paramaters passed through the image
url, it would not receive the PHPSESSID and thus would not be able to
access the session data for clients with cookies disabled.

I suggest the following. Write a couple of simple PHP pages like this
test1.php
*************** **
<?php
session_start() ;

$_SESSION["visited"] = 1; //or whatever your flag variable is called
?>

Click <a href="test2.php ">here</ato go to test2!
*************** **

test2.php

*************** **
<?php
session_start() ;
?>

This is a <a href="page2.php ">link!</a>
<br />
This is an image without sessid<br /><br />
<img src="image1.jpg ">
This is an image with sessid<br /><br />
<img src="image1.jpg ?PHPSESSID=<?ph p echo session_id(); ?>">
*************** **

Disable cookies in your browser, go to test.php page, click the link to
go to test2.php and tell us what you see.

A worthy test. I'll try some simple scripts like that .... later (it's
late).

I think I need to go back and read this again, too:
http://nedmartin.org/site/hotlink-prevention

..... He actually comes to the conclusion that cookies must be enabled.

I think I may have hit a road block in my plan.

--
*************** **************
Chuck Anderson • Boulder, CO
http://www.CycleTourist.com
*************** **************

..oO(Chuck Anderson)

>I am seeing very definite results when I test from my own browser. With
cookies enabled, the session var is always set.

However, if I disable cookies, what happens is this (as it appears to
me). When I enter the page (with image(s) in it), I call start_session
and set my var. When the image requests are redirected (via htaccess) to
the image server script, each call to start_session (one for every image
on the page) creates a new session (empty sessions).

Correct, because by default PHP doesn't rewrite <imgtags when
session.use_tra ns_sid is enabled.

>This makes sense,
as my browser is not sending a cookie telling the server a session is in
use. Based on that, I tried setting session.use_tra ns_sid, but that did
not change anything (which seems puzzling).

Have a look at url_rewriter.ta gs and adjust it as required.

Micha

Michael Fesser wrote:

.oO(Chuck Anderson)

>I am seeing very definite results when I test from my own browser. With
cookies enabled, the session var is always set.

However, if I disable cookies, what happens is this (as it appears to
me). When I enter the page (with image(s) in it), I call start_session
and set my var. When the image requests are redirected (via htaccess) to
the image server script, each call to start_session (one for every image
on the page) creates a new session (empty sessions).

Correct, because by default PHP doesn't rewrite <imgtags when
session.use_tra ns_sid is enabled.

>This makes sense,
as my browser is not sending a cookie telling the server a session is in
use. Based on that, I tried setting session.use_tra ns_sid, but that did
not change anything (which seems puzzling).

Have a look at url_rewriter.ta gs and adjust it as required.

Micha

Nice! Thanks for that. That could be just what I'm looking for. I'll
have to experiment with it later (but for now I've .... places to go,
..... people to see, .... things to do ....)

I'll post back my results.

--
*************** **************
Chuck Anderson • Boulder, CO
http://www.CycleTourist.com
*************** **************

Chuck Anderson wrote:

Michael Fesser wrote:

>.oO(Chuck Anderson)

>>I am seeing very definite results when I test from my own browser. With
cookies enabled, the session var is always set.

However, if I disable cookies, what happens is this (as it appears to
me). When I enter the page (with image(s) in it), I call start_session
and set my var. When the image requests are redirected (via htaccess) to
the image server script, each call to start_session (one for every image
on the page) creates a new session (empty sessions).

Correct, because by default PHP doesn't rewrite <imgtags when
session.use_tr ans_sid is enabled.

>>This makes sense,
as my browser is not sending a cookie telling the server a session is in
use. Based on that, I tried setting session.use_tra ns_sid, but that did
not change anything (which seems puzzling).

Have a look at url_rewriter.ta gs and adjust it as required.

Micha

Nice! Thanks for that. That could be just what I'm looking for. I'll
have to experiment with it later (but for now I've .... places to go,
.... people to see, .... things to do ....)

I'll post back my results.

Okay, ... this is all pretty much in a finalized state. I do have one
question, though (I'll get to later).

(This is all about hotlinking protection using sessions - see previous
posts).

1. Since many of my pages are old (plain html), I've added a redirect
in htaccess (per directory, as I want to) to send .html requests to a
php script.

2. In that script I set session.use_tra ns_sid to 1 (On) and set
url_rewriter.ta gs to "img=src" (and only that) in case the visitor has
cookies disabled (if cookies are disabled, image request URLs include
the session ID). Then it starts a session, sets a variable, verifies
the request html file is valid, and includes that file (otherwise 404).

If the file containing the images is a Php file, I include the above in
the top of the php file.

3. In the same htaccess file (Step 1.) I redirect all image requests
(where referrer does not begin with my domain) to an image serving
script. When an image is requested, if the session var is set, I
deliver the image, otherwise I do "something else" (many options here,
but ultimately a simple ....
header("HTTP/1.1 404 Not Found"); exit;
..... is all that's needed).

After many trials, and now in this final state, the scripts seem to be
doing the job quite well. It appears that all visitors to my site can
see images (I am monitoring the results).

Here is my question, though. In the case where the visitor has disabled
cookies, my image serving script has to detect the session ID in the
$_GET array, extract it (if it is there) and set the session_id with
that value before I call start_session. The session functions do not
automatically detect it and use it (as I thought it would/should?). I
have to do that in my script. It was my impression that the session
functions would do that automatically with use_trans_sid.

--
*************** **************
Chuck Anderson • Boulder, CO
*************** **************